Skip to main content

Signal K Server CVE-2026-39320

| EUVDEUVD-2026-24021 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-21 GitHub_M GHSA-7gcj-phff-2884
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 20:51 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 02:01 EUVD
Analysis Generated
Apr 21, 2026 - 01:23 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 01:15 euvd
EUVD-2026-24021
Analysis Generated
Apr 21, 2026 - 01:15 vuln.today
CVE Published
Apr 21, 2026 - 00:07 nvd
HIGH 7.5

DescriptionGitHub Advisory

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.

AnalysisAI

Signal K Server versions before 2.25.0 allow remote unauthenticated attackers to crash the server via Regular Expression Denial of Service (ReDoS) in WebSocket subscription handling. By injecting unescaped regex metacharacters into the context parameter, attackers trigger catastrophic backtracking that consumes 100% CPU and renders the server completely unresponsive to all API and socket requests. This creates a complete denial of service for marine navigation systems relying on Signal K Server as their central data hub. While EPSS score is low (0.04%, 13th percentile), the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) and complete availability impact make this a priority for boat operators running vulnerable versions. No public exploit identified at time of analysis, but the GitHub security advisory provides clear technical details. Vendor-released patch available in version 2.25.0.

Technical ContextAI

Signal K Server is a Node.js-based application that serves as a centralized data hub for marine vessels, aggregating sensor data, GPS, AIS, and other navigation information via standardized protocols. This vulnerability exploits algorithmic complexity in regular expression evaluation-specifically, the WebSocket subscription handler fails to sanitize regex metacharacters in the context parameter before using it to match against UUID strings. When an attacker provides input designed to cause catastrophic backtracking (a known ReDoS pattern), Node.js's single-threaded event loop becomes blocked in exponential-time regex evaluation. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), reflecting the lack of input validation and resource limits on regex operations. The affected component is the subscription filtering logic that matches incoming data streams to client subscriptions, a core function executed on every WebSocket message. The CPE identifier cpe:2.3:a:signalk:signalk-server confirms this is specific to the Signal K Server product, not the broader Signal K protocol or client implementations.

RemediationAI

Upgrade immediately to Signal K Server version 2.25.0 or later, released by the vendor with commit 215d81eb700d5419c3396a0fbf23f2e246dfac2d (https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d) and merged via pull request #2568. The fix implements proper input sanitization for regex metacharacters in WebSocket subscription context parameters. Download from official release page: https://github.com/SignalK/signalk-server/releases/tag/v2.25.0. For installations unable to upgrade immediately, implement network-level access controls to restrict WebSocket connections to trusted IP addresses only-configure firewall rules to block external access to Signal K Server ports (typically 3000/tcp) and require VPN or local network access. This workaround significantly reduces attack surface but requires careful network segmentation planning to maintain legitimate remote monitoring capabilities. Alternatively, deploy a reverse proxy (nginx, HAProxy) with request rate limiting and WebSocket message size restrictions as a temporary measure, though this adds complexity and may impact legitimate high-frequency data streams. Note that disabling WebSocket functionality entirely breaks core Signal K Server functionality and is not a viable long-term mitigation. All marine operators should validate patch deployment and monitor CPU utilization for anomalous spikes indicating potential exploitation attempts.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-39320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy